Apple seeks standard to appease angry university net managers

ATLANTA -- Under fire from its customers in the higher education market, Apple has proposed creating a new industry standard that would fix problems with its Bonjour zero configuration networking technology that is causing scalability and security problems on campus networks.

Apple described how such a standard could be used at an Internet Engineering Task Force (IETF) meeting held in Atlanta this week. Apple and other vendors including Xirrus, Check Point and IBM support the idea of creating an IETF working group to improve network services like Apple's Bonjour and LinuxAvahi, which use an existing IETF protocol called Multiicast DNS (MDNS). The new working group would be called MDNS Extensions or MDNSext.

Bonjour is Apple's marketing name for zero configuration networking, which allows a MacBook user to easily log into a local network and find an available printer. Behind the scenes, Bonjour provides automatic address assignment, looks up the host name and delivers available network services.

Bonjour uses MDNS, which transports DNS queries in a zero configuration way but only across local networks, not campus or enterprise networks. When it is deployed on large networks - particularly wired and wireless networks run by universities - Bonjour creates a flood of MDNS traffic, causing headaches for network managers.

"We targeted Bonjour at home networks, but over the last 10 years Multicast DNS - what Apple calls Bonjour - has become very popular," said Stuart Cheshire, an Apple networking engineer who created Bonjour and wrote the MDNS specifications. "Every network printer uses Bonjour. TiVo, home video recorders and cameras use it. IPads and iPhones use it, and we are starting to get a lot of demand from customers that they won't be able to print from iPads to a printer in the next building."

Cheshire admitted that Apple is responding to demands from university network managers that the company fix Bonjour and related technologies such as AirPrint for printing over Wi-Fi networks and AirPlay for streaming audio and video so they will work better over enterprise networks.

In August, the Educause Higher Ed Wireless Networking Admin Group published an open petition to Apple seeking improved support for Bonjour, AirPlay and AirPrint on large, campus networks. The petition has 750 signatures.

The petition notes that Apple represents half of all devices on university networks. It cites increasing demand among campus users for Apple TVs that use AirPlay for presentations and personal use. It also cites increasing user demand for AirPrint from devices such as iPads.

"Limitations of Apple's Apple TV, Airplay and Bonjour technologies make it very difficult to support these scenarios on our standards-based enterprise networks," the petition said.

The higher ed community has asked Apple to fix several aspects of these technologies including: making Apple TVs accessible from Apple client devices across multiple IPv4 and IPv6 subnets; improving Bonjour so that it will work in a scalable way in large enterprise wireless and wired networks; adding support for wireless encryption and authentication methods to Apple TV; and the use of enterprise Authentication, Authorization and Accounting services for Apple devices including Apple TV.

In general, university network managers want Bonjour, AirPlay and AirPrint to be scalable to thousands of devices, to work with wired and wireless networks from different vendors, to not negatively impact network traffic, to be easily manageable on an enterprise scale and to be provided at a reasonable cost.

In response to some of these concerns, Cheshire proposed to the IETF that MDNS be changed to allow for small multicast domains to be created on a large network, without losing the zero configuration and service discovery features.

Cheshire pointed out that several vendors - Xirrus, Aruba , Cisco, Aerohive and Ruckus - are selling Bonjour proxy devices to help enterprise customers by relaying multicast traffic across large networks, but that these devices are making the multicast flooding problem worse.

"The software that already exists in Apple Bonjour and Linux Avahi has some wide-area capabilities. We have some tools to build with, but we have not put it together right,'' Cheshire said. "The question is whether there is interest in the IETF to step in and do it better"

Representatives of Xirrus, Cisco and CheckPoint said they were interested in seeing this work go forward at the IETF.

'We would much rather put our development efforts into a standard protocol," said Aaron Smith, Director of Software, Applications and Services at Xirrus. "We are really heavy into the education market; nearly half of our engagements are in K-12 or higher ed. We're very interested in this kind of approach, especially if Multicast DNS would work better on Wi-Fi."

"I fully support this work," said Check Point Fellow Bob Hinden. "It's a real problem today. It's going to be worse with multiple subnets in the home."

Kerry Lynn from the IEEE outlined the requirements for a new standard that would fix MDNS

"We need to build something that's scalable, usable and deployable," Lynn said. "It needs to enable DNS-based service discovery across lots of links. It needs to work with both local and global use. And it needs to be scalable in terms of network traffic."

Thomas Narten, who works on Internet Technology and Strategy at IBM, led the discussion about creating an MDNSext working group. Narten said he expects the IETF to make progress on creating a standard fix to the Bonjour problem between now and when the IETF meets again in Orlando in March.

"There's a recognition of the problem and a willingness to work on it," Narten said. "We have to figure out how best to get to a solution. The universities are hurting; they're seeing this problem for real."

Top Whitepapers

More and more government agencies are turning to a BYOD strategy. While this can make more transactions mobile and potentially decrease IT costs, they may also make the agency vulnerable to security breaches.
•One of the biggest threats is social engineering, a process by which an adversary tricks the user into offering up information or access rights.
•While there are several types of social engineering to be on the lookout for, there are three dominant attacks to watch
•As agencies debate expanded device and data management policies, creating a divide between personal and professional content is essential

Featured Whitepapers

Multicolor, Steel designs, manufactures and installs, pre-fabricated buildings, and metal roofing and wall systems. The company serves a large number of clients in the private and public sectors and reports annual revenue of more than US$34 million.
As Multicolor Steel expanded its operations, the company wanted to guarantee that it could rapidly and fully
recover critical business information in the event of a system failure.

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.